Security News > 2024 > February > Bumblebee malware wakes from hibernation, forgets what year it is, attacks with macros

The Bumblebee malware loader seemingly vanished from the internet last October, but it's back and - oddly - relying on a vintage vector to try and gain access.

First spotted in 2022 by researchers at Proofpoint - who identified it as an apparent replacement for BazarLoader - Bumblebee was originally used by high-profile ransomware groups including Russia-linked Conti.

Out of nearly 230 uses of Bumblebee since March 2022, Proofpoint said only five campaigns used macros - four of which relied on XL4 in Excel, while just one relied on VBA. The rest of the intrusion attempts have used more evolved tactics - like malicious DLLs, HTML smuggling to drop RAR files, LNK files and zipped VBS attachments.

If, somehow, a victim's system had re-enabled Word macros by default and this Bumblebee chain managed to trigger - which the security group told The Register it hasn't actually seen in the wild - the macro would create a script in the Windows temp directory that ran a series of PowerShell commands to download and run the Bumblebee DLL. "We cannot say what the follow-on payload would be in this campaign, however historically Proofpoint has previously observed Bumblebee dropping Cobalt Strike, shellcode, and Sliver among other malware," Proofpoint senior threat intelligence analyst Selena Larson told us in an emailed statement.

Indicators of compromise are included in the report on this Bumblebee resurgence campaign.

Unsurprisingly, Proofpoint doesn't think this campaign is linked to a tracked threat actor - despite the fact that the voicemail lure, use of OneDrive, and sender email address align with previous activity from the North Korean-aligned TA579, which has been behind previous Bumblebee campaigns.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/02/14/bumblebee_malware_back/